ISM-1671 – Technical Resolution Guidance
What is ISM-1671?
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Background
This control limits the use of macros in Microsoft Office applications to users with a valid business need.
Macros automate tasks in Office documents but can also be used to deliver harmful code. By default, macros are disabled for all users unless they can show a legitimate need, reducing the risk of malicious code and lowering the organization’s attack surface.
Applicability
This control is relevant to the following:
- Maturity Level 1, 2, and 3 Controls
Evaluation Results
Status | Description |
---|---|
Effective | Keys are present and configured correctly. |
Ineffective | Keys are not present or not configured correctly. |
Not Applicable | Microsoft Office is not installed or not applicable to this device. |
Testing Parameters
The following is a list of Microsoft Office products:
- Microsoft Access 2016 or greater
- Microsoft Excel 2016 or greater
- Microsoft PowerPoint 2016 or greater
- Microsoft Visio 2016 or greater
- Microsoft Word 2016 or greater
By default, all Microsoft Office users are subject to a policy that blocks macro execution, with specific settings for each Office application, allowing only users with a clear business need to run them.
Macros can be disabled globally for all Office applications by applying the Disable VBA for Office applications policy, however to ensure individual applications don't override this setting, each one must also be configured to block macros.
All Microsoft Office 2016 – Global:
- Automation Security – Enabled - Set the Automation Security level: Disable macros by default
- Disable VBA for Office applications – Enabled
- Allow mix of policy and user locations – Disabled
- Allow Trusted Locations on the network – Disable
- Disable all Trusted Locations – Enabled
- Turn off Trusted Documents – Enabled
- Turn off Trusted Documents on the network – Enabled
- VBA Macro Notification Settings - Enabled: Disable all without notification
- Trust access to Visual Basic Project
- Trust access to Visual Basic Project
- Apply macro security settings to macros, add-ins and additional actions = Enabled
- Security settings for macros – Enabled - Warning for signed, disable unsigned
- VBA Macro Notification Settings - Enabled: Disable all without notification
- Publisher Automation Security Level - Enabled High (Disabled)
- VBA Macro Notification Settings - Enabled: Disable all without notification
- Enable Microsoft Visual Basic for Applications project creation – Disabled
- Load Microsoft Visual Basic for Applications projects from text – Disabled
- Trust access to Visual Basic Project
Policies/Description | Registry Key | Value |
---|---|---|
Turn off trusted documents | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted documents | disabletrusteddocuments = 1 |
Turn off Trusted Documents on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted documents | disablenetworktrusteddocuments = 1 |
VBA Macro Notification Settings | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security | vbawarnings = 3 or 4 |
Allow Trusted Locations on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted locations | allownetworklocations = 0 |
Disable all trusted locations | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted locations | alllocationsdisabled = 1 |
Trust access to Visual Basic Project | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security | accessvbom = 0 |
Turn off trusted documents | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted documents | disabletrusteddocuments = 1 |
Turn off Trusted Documents on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted documents | disablenetworktrusteddocuments = 1 |
VBA Macro Notification Settings | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security | vbawarnings = 3 or 4 |
Allow Trusted Locations on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted locations | allownetworklocations = 0 |
Disable all trusted locations | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted locations | alllocationsdisabled = 1 |
Automation Security | HKCU\SOFTWARE\Policies\Microsoft\office\common\security | automationsecurity = 3 |
Disable VBA for Office applications | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\Common | VBAOFF = 1 |
Disable VBA for Office applications | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\Common | VBAOFF = 1 |
Allow mix of policy and user locations | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\common\security\trusted locations | allow user locations = 0 |
Apply macro security settings to macros, add-ins and additional actions | HKCU\SOFTWARE\policies\Microsoft\office\16.0\outlook\security | donttrustinstalledfiles = 1 |
Security settings for macros | HKCU\SOFTWARE\policies\Microsoft\office\16.0\outlook\security | Level = 3 or 4 |
Trust access to Visual Basic Project | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security | accessvbom = 0 |
Turn off trusted documents | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted documents | disabletrusteddocuments = 1 |
Turn off Trusted Documents on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted documents | disablenetworktrusteddocuments = 1 |
VBA Macro Notification Settings | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security | vbawarnings = 3 or 4 |
Allow Trusted Locations on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted locations | allownetworklocations = 0 |
Disable all trusted locations | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted locations | alllocationsdisabled = 1 |
Allow Trusted Locations on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\ms project\security\trusted locations | allownetworklocations = 0 |
Disable all trusted locations | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\ms project\security\trusted locations | alllocationsdisabled = 1 |
VBA Macro Notification Settings | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\ms project\security | vbawarnings = 3 or 4 |
Publisher Automation Security Level | HKCU\SOFTWARE\Policies\Microsoft\office\common\security | automationsecuritypublisher = 3 |
VBA Macro Notification Settings | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\publisher\security | vbawarnings = 3 or 4 |
Enable Microsoft VBA project creation | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\application | createvbaprojects = 0 |
Load Microsoft VBA projects from text | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\application | loadvbaprojectsfromtext = 0 |
Allow Trusted Locations on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted locations | allownetworklocations = 0 |
Disable all trusted locations | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted locations | alllocationsdisabled = 1 |
Turn off trusted documents | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted documents | disabletrusteddocuments = 1 |
Turn off Trusted Documents on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted documents | disablenetworktrusteddocuments = 1 |
VBA Macro Notification Settings | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security | vbawarnings = 3 or 4 |
Trust access to Visual Basic Project | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security | accessvbom = 0 |
Turn off trusted documents | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted documents | disabletrusteddocuments = 1 |
Turn off Trusted Documents on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted documents | disablenetworktrusteddocuments = 1 |
VBA Macro Notification Settings | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security | vbawarnings = 3 or 4 |
Allow Trusted Locations on the network | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted locations | allownetworklocations = 0 |
Disable all trusted locations | HKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted locations | alllocationsdisabled = 1 |
Remediation Steps
Group policy allows groups of users with a clear business need to run macros, while blocking everyone else from doing so.Group policies to ensure that all macros are disabled:
Policy | Name | Value1 | Value2 |
---|---|---|---|
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center | Turn off Trusted Documents | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center | Turn off Trusted Documents on the network | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center | VBA Macro Notification Settings | Enabled | Disable all without notification or Disable VBA macros except digitally signed macros |
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center\Trusted Locations | Allow Trusted Locations on the network | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center\Trusted Locations | Disable all Trusted Locations | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center | Trust access to Visual Basic Project | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center | Turn off Trusted Documents | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center | Turn off Trusted Documents on the network | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center | VBA Macro Notification Settings | Enabled | Disable all without notification or Disable VBA macros except digitally signed macros |
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\Trusted Locations | Allow Trusted Locations on the network | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\Trusted Locations | Disable all Trusted Locations | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings | Automation Security | Enabled | Set the Automation Security level: Disable macros by default |
User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings | Disable VBA for Microsoft Office applications | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings\Trust Center | Allow mix of policy and user locations | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Outlook 2016\Security\Trust Center | Apply macro security settings to macros, add-ins and additional actions | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Outlook 2016\Security\Trust Center | Security settings for macros | Enabled | Security Level: Never warn, disable all |
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center | Trust access to Visual Basic Project | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center | Turn off Trusted Documents | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center | Turn off Trusted Documents on the network | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center | VBA Macro Notification Settings | Enabled | Disable all without notification or Disable VBA macros except digitally signed macros |
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center\Trusted Locations | Allow Trusted Locations on the network | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Publisher 2016\Security | Publisher Automation Security Level | Enabled | High (disabled) |
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Macro Security | Enable Microsoft Visual Basic for Applications project creation | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Macro Security | Load Microsoft Visual Basic for Applications projects from text | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center | Allow Trusted Locations on the network | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center | Disable all Trusted Locations | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center | Turn off Trusted Documents | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center | Turn off Trusted Documents on the network | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center | VBA Macro Notification Settings | Enabled | Disable all without notification or Disable VBA macros except digitally signed macros |
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center | Trust access to Visual Basic Project | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center | Turn off Trusted Documents | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center | Turn off Trusted Documents on the network | Enabled | |
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center | VBA Macro Notification Settings | Enabled | Disable all without notification or Disable VBA macros except digitally signed macros |
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center\Trusted Locations | Allow Trusted Locations on the network | Disabled | |
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center\Trusted Locations | Disable all Trusted Locations | Enabled |
Validation Process
Validation that the policy is correctly being applied on the end device.
Risk Consideration
Disabling macros for users without a clear business need reduces the risk of malware infections, unauthorized access, social engineering attacks, and insider threats associated with macros. This control aligns with security best practices by minimizing attack surfaces and helping organizations adhere to regulatory requirements while improving their overall security posture.